Web-based single sign-on with form-fill proxy application

ABSTRACT

Web-based single sign-on can enable a user to log in to a single interface (such as through a web browser or thin client) and then provide SSO services to the user for one or more web applications. The web-based SSO system can be extended to support one or more different access control methods, such as form-fill, Federated (OIF), SSO Protected (OAM), and other policies. The web-based SSO system can include a user interface through which the user can access different web applications, systems, etc. and manage their credentials. Each SSO service can be associated with a web interface allowing the SSO services to be accessed over the web. The web interfaces can provide CRUD (create, read, update, delete) functionality for each SSO service. To support different access policy types, the web-based SSO system can include an extensible data manager that can manage data access to different types of repositories transparently.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of, and claims benefit and priorityto U.S. Non-Provisional patent application Ser. No. 14/493,218, filedSep. 22, 2014 and entitled “WEB-BASED SINGLE SIGN-ON WITH FORM-FILLPROXY APPLICATION,” which claims benefit and priority to U.S.Provisional Patent Application No. 61/880,800, filed Sep. 20, 2013 andentitled “SYSTEMS AND METHODS FOR WEB-BASED SINGLE SIGN-ON.” The entirecontents of each of the above-identified patent applications are part ofthis disclosure and incorporated by reference herein for all purposes.

BACKGROUND

In an enterprise, users (e.g., employees) typically may have access toone or more different systems and applications. Each of these systemsand applications may utilize different access control policies andrequire different credentials (e.g., user names and passwords). This mayrequire a user to manage many different credentials for the systems andapplications they regularly use, leading to password fatigue, wastedtime entering and reentering credentials, and additional IT resources torecover and/or reset lost credentials. Single sign-on (SSO) can providea user with access to multiple systems and applications after an initiallog-in. For example, when the user logs-in to their work computer, theuser can then also have access to one or more other systems andapplications.

Previous SSO solutions were desktop-based, including a desktop clientexecuting locally on the user's computer that allowed the user to managetheir credentials and provide other SSO services and administration.This required a desktop or laptop computer to execute the client andaccess the user's systems and applications. The locally executing clientcould monitor the user's activity to provide single sign-on services.However, users increasingly access web-based services using smart phonesand tablets that may not be able to execute a full desktop SSO client.Additionally, these previous SSO systems typically could providesingle-on for systems that utilize the same access control type, but didnot integrate applications that use different access control types. As aresult, SSO may provide single sign-on for several of the user'sapplications, but the user may still be required to log-in manually toother systems or applications.

BRIEF SUMMARY

In accordance with an embodiment, web-based single sign-on can enable auser to log in to a single interface (such as through a web browser orthin client) and then provide SSO services to the user for one or moreweb applications, systems, and other services. The web-based SSO systemcan be extended to support one or more different access control methods,such as form-fill, Federated (OIF), SSO Protected (OAM),Privileged/Shared (OPAM), Oauth, and other policies. The web-based SSOsystem can include a user interface through which the user can accessdifferent web applications, systems, etc. and manage their credentials.Each SSO service can be associated with a web interface (such as a RESTinterface) that enables the SSO services to be accessed over the webusing any web-enabled device, for example through a browser, without afully featured client deployed to the user's device. The web interfacescan provide CRUD (create, read, update, delete) functionality for eachSSO service. To support different access policy types, the web-based SSOsystem can include an extensible data manager that can manage dataaccess to different types of repositories transparently.

In some embodiments, requests for web applications can be passed throughan SSO proxy. When the SSO proxy receives a response from the webapplications, the proxy can augment the response with policy informationand other payload content, embed an SSO application that offloads SSOprocessing to the client device, and rewrite the content of the responseas needed. The embedded application, which in some embodiments can beimplemented as a Javascript application, takes advantage of theprocessing power of the client devices to execute the single sign-onfunctionality. For example, template matching, credential injection, andother SSO processing can be handled on the client side. In someembodiments, a user can access additional applications and performadditional SSO management through a web-based logon manager interface.By offloading much of the SSO processing to the client device, thissolution can easily scale to accommodate many devices. Adding the SSOfunctionality to the web-based interface also improves the userexperience.

In some embodiments, a method is provided comprising receiving, at aserver, a request from a client device to access a web application. Themethod can further comprise passing the request to the web applicationand receiving a response from the web application. The method canfurther comprise augmenting the response with policy data and a singlesign-on application to create an augmented response, and returning theaugmented response to the client device.

In some embodiments, the single sign-on application can execute in aclient browser and can be configured to: request a policy associatedwith the web application; match a page received from the web applicationto the policy; request credentials associated with a user to access theweb application; inject the credentials into one or more fields on thepage based on the policy; and submit the credentials to the webapplication. In some embodiments, the single sign-on application is aJavascript application.

In some embodiments, the method can further comprise receiving a requestfrom the single sign-on application for a policy associated with the webapplication; sending a request to a data manager for the policy; andsending a response to the single sign-on application including thepolicy. In some embodiments, the method can further comprise receiving arequest from the single sign-on application for a credential associatedwith a user to access the web application; sending a request to a datamanager for the credential; and sending a response to the single sign-onapplication including the credential.

In some embodiments, the single sign-on application can be configured toidentify a platform associated with the client device; and execute oneor more platform specific operations. In some embodiments, the platformcan include one or more of a client device type and a browserapplication type.

In some embodiments, a non-transitory computer readable storage mediumcan be provided, including instructions stored thereon which whenexecuted by a processor cause the processor to perform the steps of:receiving a request to access a web application; passing the request tothe web application; receiving a response from the web application;augmenting the response with policy data and a single sign-onapplication to create an augmented response; and returning the augmentedresponse.

In some embodiments, a system can be provided comprising a computer,including a computer readable storage medium and processor. The systemcan further include a single sign-on proxy, executing on the computer,wherein the single sign-on proxy is configured to receive requests forweb applications from clients and return augmented responses from theweb applications to the clients. When a request to access a webapplication is received from a client, the single sign-on proxy isconfigured to pass the request to the web application, receive aresponse from the web application, augment the response with policy dataand a single sign-on application to create an augmented response, andreturn the augmented response.

BRIEF DESCRIPTION OF THE DRAWINGS

Illustrative embodiments of the present invention are described indetail below with reference to the following drawing figures:

FIG. 1 illustrates an overview of a web-based single sign-on system, inaccordance with an embodiment of the present invention.

FIG. 2 illustrates a block diagram of a form fill architecture, inaccordance with an embodiment of the present invention.

FIG. 3 depicts a block diagram of a method of injecting an SSO proxyapplication in response to a request to access a resource, in accordancewith an embodiment of the present invention.

FIG. 4 depicts a form fill state diagram, in accordance with anembodiment of the present invention.

FIG. 5 illustrates a pluggable single sign-on application operable toexecute in different environments, in accordance with an embodiment ofthe present invention.

FIG. 6 illustrates a desktop logon manager interface, in accordance withan embodiment of the present invention.

FIG. 7 illustrates a mobile logon manager interface, in accordance withan embodiment of the present invention.

FIG. 8 illustrates a logon manager architecture, in accordance with anembodiment of the present invention.

FIG. 9 depicts a block diagram of a method of accessing a webapplication through a web logon interface, in accordance with anembodiment of the present invention.

FIG. 10 illustrates an SSO server architecture integrating singlesign-on services, in accordance with an embodiment of the presentinvention.

FIGS. 11A and 11B illustrate a policy manager architecture and acredential manager architecture, in accordance with an embodiment of thepresent invention.

FIG. 12 depicts a block diagram of a method of providing SSO servicesthrough web-based interfaces, in accordance with an embodiment of thepresent invention.

FIG. 13 illustrates a data manager architecture, in accordance with anembodiment of the present invention.

FIG. 14 depicts a block diagram of a method of managing credentialsstored across multiple data stores, in accordance with an embodiment ofthe present invention.

FIG. 15 depicts a simplified diagram of a distributed system forimplementing one of the embodiments.

FIG. 16 is a simplified block diagram of components of a systemenvironment by which services provided by the components of anembodiment system may be offered as cloud services, in accordance withan embodiment of the present disclosure.

FIG. 17 illustrates an exemplary computer system, in which variousembodiments of the present invention may be implemented.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, specificdetails are set forth in order to provide a thorough understanding ofembodiments of the invention. However, it will be apparent that variousembodiments may be practiced without these specific details. The figuresand description are not intended to be restrictive.

Systems depicted in some of the figures may be provided in variousconfigurations. In some embodiments, the systems may be configured as adistributed system where one or more components of the system aredistributed across one or more networks in a cloud computing system.

Embodiments of the present invention are directed to web-based singlesign-on service that can enable a user to log in to a single interface(such as through a web browser or client application) and then providesingle sign-on (SSO) services to the user for one or more webapplications, enterprise systems, and other services. The web-based SSOsystem can be extended to support one or more different access controlmethods, such as form-fill, federated identity, policy-based controls,Privileged/Shared accounts, OAuth, and other security systems. Theweb-based SSO system can include a user interface through which the usercan access different web applications, systems, etc. and manage theircredentials. Each SSO service can be associated with a web interface(such as a REST interface) that enables the SSO services to be accessedover the web using any web-enabled device, for example through abrowser, without a fully featured client deployed to the user's device.The web interfaces can provide CRUD (create, read, update, delete)functionality for each SSO service. To support different access policytypes, the web-based SSO system can include an extensible data managerthat can manage data access to different types of repositoriestransparently.

FIG. 1 illustrates an overview of a web-based single sign-on system, inaccordance with an embodiment of the present invention. As shown in FIG.1, single sign-on services 100 can be implemented on an SSO server 102.SSO server 102 can use one or more customized web interfaces 104 toprovide SSO services 100 to one or more different clients 106. In someembodiments, SSO server 102 can be integrated into an access managerserver. This allows one or more different end user clients 106 to accessand utilize SSO services from a single SSO backend. Clients 106 caninclude client devices on which an SSO client application 106A has beeninstalled, these may be referred to as thick, or rich, clients, and caninclude personal computers, workstations, mobile devices, and otherclient devices. Additionally, or alternatively, SSO services can bemanaged and provided by a web application 106B or a browser application,such as a Javascript application, eliminating the need to separatelyprovision and install a standalone SSO application on each clientdevice. As used herein, SSO application can be used to refer to eitherthe standalone SSO client application installed at a client device orthe browser-based SSO application.

Each web interface 104 defines how the clients can access SSO servicesand resources including credentials (user names/passwords, link to afederated or protected site, or other type) and policies that define howthe SSO services interact with applications using the credentials. Insome embodiments, each SSO service 100 can be associated with adifferent web interface 104. In some embodiments, applications can belocal or remote, including web applications such as SaaS or othercloud-based applications and/or services. Being web-based, the user cansecurely access their applications using any internet-connected device.Although REST (representational state transfer) interfaces are describedherein, any web-based interfaces may be used.

In some embodiments, the SSO application can identify authenticationevents using predefined policies stored in SSO services 100. Through theweb interfaces, end user credentials and policies can be managed andapplied to requests received from clients 106. A user can logon at oneof clients 106 by presenting a credential (Smartcard/Proximity card,token, PKI (public key infrastrcture), Windows Logon, LDAP (lightweightdirectory access protocol) logon, biometric device, etc.). Thecredential can then be analyzed by an authentication service. In someembodiments, one or more client-side authentication plugins can detectdifferent authentication events and collect the credential received fromthe user. Each authentication plugin can be associated with a differenttype of credential and/or different logon method. In some embodiments,each authentication plugin can be associated with a grade. In someembodiments, grades can be assigned to types of credentials and types ofrequests. Grades can be stored as numerical values. This enables the SSOsystem to vary its response to a logon request depending on the grade ofthe credential provided by the user. For example, if a user logs-in witha credential associated with a grade of 1, when an authentication eventis identified associated with a grade of 2 or higher, the user can beprompted to provide a higher grade credential. In some embodiments,authentication information can be stored as an authentication cookiewithin a user's browser application. The authentication cookie canobtained from a local or web based authentication service upon receiptof credentials from a user (e.g., when the user logs-in to their clientdevice, through a web-based logon page, etc.). The authentication cookiecan be included with web requests to SSO server 102 and can be verifiedprior to providing SSO services in response to the request. In someembodiments, different services may require different levels ofauthentication which may be embodied in different authenticationcookies. If a user requests a service, but the user's authenticationcookie does not authorize access to the service, the user can beredirected to a login page to obtain a new authentication cookie.

In some embodiments, requests from clients 106 can be received through aSSO Gateway 108, such as a load balancer or other web server. SSOGateway 108 can implement one or more access agents 110 to balancerequests from clients 106. In some embodiments, the user can access anSSO user interface 112A, referred to herein as a logon manager ordashboard, through a client 106 executing on their device or through aweb browser. In some embodiments SSO user interface 112B can beimplemented at SSO system 102. In some embodiments, the SSO userinterface 108 can include a list of the applications the user commonlyutilizes. The user can manage their credentials and policies associatedwith applications through the SSO user interface. When the user requeststo access an application through the user interface, the SSO userinterface can determine the policy type for the application and acquirethe user's credential based on the policy type. In some embodiments,authorization module 118 can verify an authentication cookie includedwith the request to determine whether the user is authorized to retrievethe credential. If authorized, the user can be logged into theapplication using the credential. Various credentials and policies canbe maintained in different repositories. When a request is received toaccess, retrieve, update, delete, or otherwise interact with a storedcredential and/or policy, SSO services 100 can access the correspondingrepository 120 through a data manager 122. In some embodiments, the SSOproxy 114 can enable the users to access web applications 116 using SSOservices through a web browser directly, without first accessing the SSOuser interface 110 or using a client executing on the user's device. Insome embodiments, SSO services 100 can access an identity manager 124,such as a corporate directory, to verify a user's identity.

In some embodiments, the SSO services 100 can manage granting/denyingaccess to applications, including automatic sign-on, applicationpassword change and reset, session management, application credentialprovisioning, as well as authentication inside and outside of a session.In some embodiments, SSO system 102 can provide automatic single sign-onfunctionality for Windows, Web, Java, and mainframe/terminal-basedapplications running or being accessed from client devices. LogonManager 112A can monitor the session, automatically detecting logonrequests from applications and completing the logon automaticallyaccording to the particular logon requirements associated with therequests.

In some embodiments, various applications and credential types can besupported, such as Oracle Access Management protected resources,federated applications/resources, and form-fill applications. For OAMprotected resources, user requests can be authenticated and thendirected to URLs associated with the requested resources. For FederatedApplications, links to federated partners and resources can be provided,including business to business (B2B) partner applications and SaaSapplications. For form fill applications, templates can be used toidentify fields of application web pages through which credentials canbe submitted.

As described above, web-based SSO services can be provided throughvarious client applications, including multiple browser-based accessmethods. As discussed further below, a user can access applications, andreceive SSO services, through an SSO gateway 108. One access methodenables the user to access SSO services transparently through anembedded SSO application automatically installed in a user's browser. Insome embodiments, a user can access a web logon manager using theirbrowser to access applications, manage policies and credentials, andotherwise consume SSO services. These and other access methods arediscussed further below.

Web-Based Single Sign-on with Form-Fill Proxy Application

In accordance with an embodiment, requests for web applications can bepassed through an SSO proxy. When the SSO proxy receives a response fromthe web applications, the proxy can augment the response with policyinformation and other payload content, embed an SSO application thatoffloads SSO processing to the client device, and rewrite the content ofthe response as needed. The embedded application, which in someembodiments can be implemented as a Javascript application, takesadvantage of the processing power of the client devices to execute thesingle sign-on functionality. By offloading much of the SSO processingto the client device, this solution can easily scale to accommodate manydevices. Adding the SSO functionality to the web-based interface alsoimproves the user experience.

FIG. 2 illustrates a block diagram of a form fill architecture 200, inaccordance with an embodiment of the present invention. As describedabove, the SSO system 102 can be accessed through an SSO gateway 108.The SSO gateway 108 can include a form-fill proxy that embeds an SSOapplication into a client's web browser application. In someembodiments, the SSO application can be a Javascript application thatcan communicate with SSO web services on access manager server 102through a SSO Gateway 108 to manage credentials and obtain policies.

In accordance with an embodiment, the user can access a web application202 through a web browser executing on a client device 106B. The webapplication 202 can be a web based email service, business application,or any other web application. Client device 106B can send a request 204to access the web application 202 which is intercepted by a SSO Gateway108. The SSO Gateway 108 can forward the request to the web application202 and can intercept the response 206 from the web application. In someembodiments, the SSO Gateway 108 can modify the request such that anyresponse from the web application 202 is returned to SSO Gateway 108.Before returning the response to the requesting client 106B, SSO Gateway108 can pass the response 206 to an SSO proxy 114 at the SSO Gateway108. SSO proxy 114 can modify the response to include additional data208 that provides access to various SSO features.

For example, the proxy can add SSO application code, such as Javascript,to the response that enables SSO functions to be called and executedfrom the browser. The SSO application can execute at the user's device106B to identify form-fillable pages and fields, request policies fromthe SSO server and manage credentials. As described further below,credential and policy requests can be sent through a web interface toSSO system 102. For example, a log-in page received from a webapplication can be detected by the SSO application. The SSO applicationcan read a policy for web application and retrieve a credential. Usingthe credential, the SSO application can automatically fill theappropriate fields of the log-in page using the retrieved credentialsand submit the log-in request. If the log-in fails, the SSO applicationcan detect the log-in failure and execute a log-in failure flow that,e.g., enables the user to reset and/or recover their credential for theweb application, and update their credential with the SSO server.

In accordance with an embodiment, the proxy can add additional content208 to the response received from the web application. The additionalcontent 208 can include templates and policies. The templates can beused by the SSO application to identify the form-fillable pages andfields and determine how to add the credentials to the fields. By addingthe SSO application to the web page response, much of the SSO processingis offloaded from the backend system and onto the user device. Byoffloading much of the processing to the end user, processing demandsare reduced at the SSO server resulting in a more scalable solution toSSO than previous systems.

FIG. 3 depicts a block diagram of a method 300 of injecting an SSO proxyapplication in response to a request to access a resource, in accordancewith an embodiment of the present invention. At block 302, a request canbe received from a client device to access a web application. Asdescribed above, the request can be received at an SSO Gatewayassociated with an SSO system. In some embodiments, a request from aclient device can be a request for a web page associated with a webapplication (e.g., an HTTP request). The request can be received from aclient device that does not include an SSO client executing on thedevice.

At block 304, the request can be passed to the web application. In someembodiments, the SSO gateway can log information related to the request(time, date, web address, etc.) for later auditing or other purposes. Atblock 306, a response from the web application is received. The responsecan be a web page that includes fields for the user to supply log ininformation. At block 308, the response can be augmented to includepolicy data and a single sign-on application to create an augmentedresponse. In some embodiments, the response can be rewritten to providea similar look and feel of the user's enterprise system. For example,the color scheme and layout of the web page in response to the user'srequest can be modified to appear similar to the color scheme and layoutof the user's internal intranet. At block 310, the augmented response isreturned to the client device.

In some embodiments, the single sign-on application is a Javascriptapplication. The single sign-on application can execute in the user'sbrowser application and provide SSO services. For example, the SSOapplication can request policies and templates from the SSO system anduse the policies and templates to match a page received in response to arequest for a web application to a corresponding policy. The SSOapplication can automatically inject the appropriate user credentialsinto matching fields of the web page response and submit the credentialsto the web application. This way, single sign on is effected withoutrequiring a separate SSO client application to be provisioned andinstalled on a user's client device.

In some embodiments, the single sign-on application can includeexecutable scripts associated with different hardware, operatingsystems, browsers, or combinations thereof. The SSO application can beconfigured to identify a platform associated with the client device, andto configure itself to execute one or more platform specific operations.The platform can refer to one or more of a client device type (desktop,mobile device, workstation, or other hardware configuration), a browserapplication type, and/or an operating system.

Once installed, the SSO application can provide SSO services to the userthrough the user's browser, without the need for a separate SSO clientapplication. FIG. 4 depicts an SSO application state diagram, inaccordance with an embodiment of the present invention. As shown in FIG.4, at block 402, the SSO application executing in the user's browser canrequest policies associated with a web application. The request can be aweb request formatted according to a web interface provided by an SSOsystem. If no policies are returned, execution of the SSO applicationcan end and the web application can be opened in the user's browserwithout providing any additional SSO services (e.g., where no policiesare found for the web application, the SSO application does not addcredentials or log-in the user to the web application).

If at least one policy is returned then at block 404 the SSO applicationcan match the policies to the page returned by the web application. Forexample, one policy can correspond to a log-in page, while a differentpolicy can correspond to a password change page. Each policy can beassociated with a page template. When an incoming page is matched to apolicy, the incoming page is compared to the stored template pages. Forexample, the template may define various fields and types present in agiven page, the locations of identifying content, labels, tags, etc.When an incoming page matches a given template, the policy correspondingto that template can be used to provide SSO services for that page. Insome embodiments, the policy can define what actions are to be taken fora matched page (e.g., which credentials are to be supplied, how thecredentials are to be supplied, etc.). If no policy is matched,indicating that there is no template matching the incoming page, thenthe incoming page can be presented to the user without any further SSOservices being provided.

Once a policy has been matched, at block 406, the SSO application canrequest credentials from the SSO server. If one or more credentials arereturned, then at block 408 the SSO application can invoke a logonchooser. In some embodiments, at block 410 the logon chooser can bedisplayed to the user on the user's client device, allowing the user tomanually select from the returned credentials. Once the user hasselected credentials using the logon chooser, the SSO application, atblock 412, can inject the selected credentials and submit the logonrequest.

In some embodiments, once the user has made a selection, the selectedcredentials are submitted and at 414 the SSO application can validatethe logon result. If the logon is successfully performed, at block 416the SSO application can send a request to the SSO server to update theuser's credentials for that page based on the user's selection. As such,when the user requests that web application later, the selected usercredentials can be returned without requiring the user to manuallyselect the credentials from the logon chooser. In some embodiments, anautomated logon chooser process can be executed prior to displaying thelogon chooser to the user. For example, if a small number of credentialsare returned, the SSO application can automatically submit each returnedcredential in turn until a successful logon is detected. The SSOapplication can then send an update request to the SSO server to updatethe user's credentials for that web application.

If only one credential was returned, processing can bypass block 410 andgo to block 412 where the credential can be injected into the page andsubmitted without further input from the user. Once the credentials havebeen submitted, the SSO application can monitor the status of the loginrequest. In some embodiments, if the login fails processing can end. Insome embodiments, if the login succeeds, at block 416 the credentialscan be saved.

If no credentials are returned, the incoming page can be displayed tothe user in the user's browser and, at block 418, the SSO applicationcan capture the credentials entered by the user manually. The credentialentered by the user can be submitted and the logon results can bemonitored. If logon was successful, at block 416 the credential is savedand the user is logged into the web application. If the logon fails, theweb application's logon failure page can be displayed to the user. Insome embodiments, the SSO application can automatically detect the logonfailure page, match a policy to the logon failure page and execute aflow corresponding to logon failure (such as password recovery orreset).

In some embodiments, the user can elect to perform a password change(PWC) at the web application. The SSO application can detect a PWC page(e.g., using a PWC template defined for that web application), and atblock 418 can capture the credentials provided by the user. The SSOapplication can monitor the PWC process and, if successful, at block 416the new credential can be saved to the SSO server. If the PWC isunsuccessful, the web application's PWC failure page can be displayed tothe user. In some embodiments, the SSO application can automaticallydetect the PWC failure page, match a policy to the PWC failure page andexecute a flow corresponding to PWC failure (such re-executing the PWCflow and indicating to the user the reason for the failure).

As shown in FIG. 4, processing at blocks 402, 406, 410, and 416 (e.g.,getting policies and credentials, saving credentials, and getting usersettings for a logon chooser) involve communicating with the SSO server.However, the other processing steps, including monitoring the success ofPWC and logon attempts, policy and template detection, credentialinjection, etc., can be performed by the SSO application in the browser.This reduces the amount of processing resources required by the SSOserver and makes it easier to add additional users without strainingsystem resources.

In some embodiments, the SSO server can receive a request from thesingle sign-on application for a policy associated with a webapplication. The SSO server can then send a request to a data managerfor the requested policy. If one or more policies are returned, then theSSO server can send a response to the single sign-on applicationincluding the one or more policies. If no policies are returned, the SSOserver can return a response to the SSO application indicating that nopolicies are associated with the web application.

In some embodiments, the SSO server can receive a request from thesingle sign-on application for a credential associated with a user toaccess a web application. The SSO server can then send a request to adata manager for the credential. If one or more credentials arereturned, then the SSO server can send a response to the single sign-onapplication including the one or more credentials. The SSO applicationcan then present a logon chooser to the user to select from the one ormore credentials. If no credentials are returned, the SSO server canreturn a response to the SSO application indicating that no credentialsare associated with the user and the web application.

In some embodiments, the SSO application can include a credentialmanager that can search and list credentials, perform auto and manualpassword change (PWC) processing, logon chooser, and logon Failure. Asdescribed above, in some embodiments, the SSO application can beinstalled in a user's browser in response to a request for a webapplication (e.g., the SSO application can be added to the augmentedresponse that is sent to the user. As such, the SSO application can beinitialized into a state corresponding to the incoming response web pagethat includes the SSO application.

In some embodiments, a web application request can be initiated from aweb logon manager (WLM), as described further below. In such anembodiment, the SSO application can obtain credential information fromthe WLM (e.g., by checking a query string, session storage information,or other information). Using the credential from WLM enables the SSOapplication to avoid requesting credential information from the SSOserver, further reducing the load placed on the SSO server.

In some embodiments, an automatic password change (PWC) process can beimplemented by the SSO system. The SSO system can match a PWC page to atemplate, enabling the SSO system to identify a policy associated withthe PWC page. The SSO application can send a request for credentialsthat match the page template. Using the credential, the current username and password can be added to the appropriate fields in the PWCpage. During automatic PWC, a new password can be automaticallygenerated by the SSO server and the user's credential can be updatedwith the new, automatically generated password. The SSO server can thenreturn the updated credential to the SSO application. The SSOapplication can add the new password to the appropriate field of the PWCpage and submit the password change request. At block 420 the PWC resultcan be validated. If the password was successfully updated, at block 416the change is confirmed and the updated credential is saved. If thepassword was not successfully updated, the user can be returned to thePWC page.

In some embodiments, a manual PWC process may also be provided. Duringmanual PWC, the PWC page is matched as in the automatic PWC andcredentials are identified based on the match. The SSO application canreceive the credentials and inject the credentials into the appropriatefields in the PWC page. For manual PWC, the policy can disableauto-submit, preventing the SSO application from automaticallysubmitting the credentials. The SSO application can then monitor the PWCpage to capture the new password credential entered manually by theuser. The password provided by the user can then be used to update thestored credential. In some embodiments, the SSO server can confirm thatthe password provided by the user meets password standards (either thoseset by the web application or by the SSO server), such as number ofcharacters, types of characters, etc.

FIG. 5 illustrates a pluggable single sign-on application operable toexecute in different environments, in accordance with an embodiment ofthe present invention. As described above, the proxy augments responsesfrom web applications to include an SSO application that executes in theuser's browser and can communicate with the SSO server to provide SSOservices, such as policy and credential management. Since each userdevice, client, and browser can have different requirements andcapabilities, the SSO application can be pluggable to support differentenvironments. For example, environmental variables 500 can be set todefine the client (e.g., is it a standalone client or a browser) and thebrowser in use (such as Internet Explorer, Chrome, Firefox, etc.). Eachsupported client can be associated with browser-specific andplatform-specific functions 502. Support for new platforms and browserscan be added by creating a platform- or browser-specific plugin for theSSO application.

The SSO application can be configured upon installation or a platformspecific SSO application can be provided by the SSO server. In someembodiments, once installed the SSO application can call platformspecific functions to perform SSO services. In some embodiments, a setof shared functions may be provided across multiple platforms inaddition to the platform specific functions. For example, functions thatare called to communicate with the SSO server can be shared acrossmultiple platforms, while platform specific functions for injecting andcapturing credentials from a web page may also be provided.

As described above, an SSO application can be installed in a user'sbrowser application and provide SSO services to the user transparently.Additionally, the SSO application can take advantage of the processingcapabilities of the user's client device to reduce the amount ofprocessing required by the SSO server 102. For example, templatematching, credential injection, and other SSO processing can be handledon the client side. In some embodiments, a user can access additionalapplications and perform additional SSO management through a web-basedlogon manager interface.

Web-Based Single Sign-on Logon Manager

Existing logon managers typically can only coordinate access toapplications that use the same login method. For example, form-fillapplications cannot be managed with other applications that use adifferent login method. Embodiments of the present invention provide anend user application dashboard which provides a central location throughwhich the end user can access their applications. The dashboard providesa unified launch point for multiple applications having different log-inrequirements. For example, form-fill applications, federatedapplications, and other access controlled and unprotected applications.Applications can register with the dashboard and specify how theapplication is accessed. Policies can be defined for the applicationsafter registration based on how the applications are accessed. Thedashboard is extensible such that new login types can be supported. Thedashboard provides a simple, unified access point for all of a user'sapplications regardless of how the applications are accessed.

FIG. 6 illustrates a desktop logon manager interface, in accordance withan embodiment of the present invention. As shown in FIG. 6, the logonmanager interface 600 can provide a unified view of one or moreapplication icons 602, each representing web applications, services, andor systems that a user can access. The user's application icons can bedisplayed in an end user application catalog, or dashboard, and eachapplication can be associated with different access requirements. Thedashboard can be displayed after the user logs into the system. In someembodiments, the user can logon to their client device to access the weblogon manager. In some embodiments, the user can first login uponaccessing the web logon manager. Some applications displayed in thedashboard may be unprotected and require no credential to access, whileothers may be form fill applications, federated applications, or otheraccess types. As such, the dashboard can display applications regardlessof access type, presenting a unified view of applications and a singlepoint of access to the user.

Each application icon shown in the dashboard can be associated with oneor more policies and one or more credentials. A policy defines how anapplication can be accessed, and the credential provides informationthat can be used to authenticate the user to access the application. Insome embodiments, the user's dashboard can be provisioned. For example,a new employee at a company can have a dashboard setup with severalapplication icons the employee will be utilizing, such as icons for anemail application and business applications. Once the applications aresetup and visible in the user's dashboard, the policy type/type ofcredential for each application is hidden from the user. The user cansimply select an application and access it, without having to manage thedetails of accessing a particular application.

In some embodiments, the web logon manager can display different viewsof the applications available to the user, enabling the user tocustomize the layout of their dashboard, such as by changing whichapplications are shown in the dashboard and how the applications areorganized. For example, the web logon manager can provide a searchfunction 604, enabling the user to search for particular applications(e.g., by name, type, or other characteristic) and the web logon managercan then display a search view that includes matching applications. Insome embodiments, the user can select a view all 606 icon to have allavailable applications displayed in the dashboard. The user can alsoselect to sort the applications along different dimensions (e.g., mostfrequently accessed, time added, alphabetical, etc.). In someembodiments, the user can designate particular applications asfavorites, and select a favorites icon 608 to view only thoseapplications that have been so designated. In some embodiments, the usercan view recently added applications by selecting recent icon 610.

In some embodiments, the user can manually add 612 new applications tothe web logon manager. For example, the user can add and removeapplications by adding or deleting corresponding policies andcredentials. In some embodiments, the user can update their credentialsthrough the logon manager. In some embodiments, an edit view 614 can bedisplayed that allows the user to designate favorites 616 and configureeach application. For example, the user can select setup 618 to manuallyupdate settings related to an application (e.g., update credentials orpolicies). From the dashboard, a user can launch an application byselecting (e.g., clicking or tapping) on the application name.

In some embodiments, a user can add applications to their dashboard byselecting an available application from a catalog and providingappropriate credentials. The available applications can each usedifferent types of credentials. Depending on the application selected,the web logon manager can determine the type of credential used by theselected application, and display a message to the user requesting theappropriate credential. In some embodiments, the user can provide acustom display name, description, or other details for an application.In some embodiments, display names can be pre-populated for the user.The user has the option to modify them as needed. In some embodiments,multiple credentials can be provided for the same web application (e.g.,corresponding to multiple accounts with an e-commerce application). Eachcan be represented by its own application icon in the dashboard, and canbe automatically named with an additional number or other indicator todifferentiate between each credential. In some embodiments, additionallyor alternatively, multiple logon credentials can be set up for anapplication. For example the logon manager can monitor user activity ata web application and capture additional credentials provided by theuser.

In some embodiments, a user can remove credentials associated with agiven application. Once credentials have been removed, the applicationcan be automatically removed from the user's dashboard. In someembodiments, if the user has designated the application as a favorite,the application may still be displayed in a favorite view of the user'sdashboard. The user can later add a new credential for the applicationand return the application to the user's dashboard. In some embodiments,if multiple credentials have been stored for a given application, theuser can remove each credential separately. In some embodiments, theuser can request that all credentials associated with a givenapplication are removed.

In some embodiments, a user can share or delegate their credentials toanother user. The dashboard can display a “share” icon for thoseapplications that may be shared. Application developers and/oradministrators can configure the applications for sharing. In someembodiments, sharing can be disabled on a per application basis. When auser elects to share their credentials, a prompt can be displayedrequesting the user to provide user information for the user with whomthe credentials will be shared. In some embodiments, the prompt caninclude a list of users (e.g., populated from an enterprise userdatabase). When credentials have been delegated, the delagee may beprevented from sharing the credentials with additional users. In someembodiments, the number of users with whom credentials may be shared canbe limited to a maximum number.

A user can revoke delegation at any given time by selecting a “revoke”icon. The revoke icon may be shown when the credentials are shared withanother user. In some embodiments, when a user delegates credentials,the user can set a delegation time period after which the credentialsare automatically revoked.

In some embodiments, the web logon manager can include a password change(PWC) wizard. As described above, the PWC wizard can include a manualmode in which the user specifies the new password and an automatic modein which the PWC wizard automatically selects a new password on theuser's behalf.

FIG. 7 illustrates a logon manager interface 700, in accordance with anembodiment of the present invention. When a user accesses the logonmanager from a mobile device, such as a smart phone or a tablet, theinterface can automatically adapt to the size and dimensionalrequirements of the user's device. The mobile logon manager interface700 can provide similar features to a full screen or desktop interfaceas described above with respect to FIG. 6. Each application icon, suchas icons 702 and 704, can be resized and displayed in a scrollable list.The user can select an icon 704 next to the display name of anapplication to view the details of the application. In some embodiments,when in detail view, the user can be presented with the option to editthe application (e.g., by updating credentials and/or policiesassociated with the application). In some embodiments, icon 704 canlaunch the application when selected.

FIG. 8 illustrates a logon manager architecture, in accordance with anembodiment of the present invention. Each icon shown in FIGS. 6 and 7can represent a different application, such as web applications, localapplications and remote applications. As described above, each icon canbe associated with a policy that defines how the SSO system interactswith the application, and a credential that provides the user withaccess to the application. As shown in FIG. 8, a user can access thelogon manager through an SSO client 106 executing on the user's device106B. In some embodiments, the client can be a standalone client or abrowser-based client.

In some embodiments, a user can access the logon manager through abrowser on a client device by visiting a URL associated with the weblogon manager. In some embodiments, the web logon manager can bedistributed across SSO Gateway 108 and SSO system 102. A front end weblogon component 112A can execute on SSO Gateway 108 and can provide agraphical user interface (GUI) through which requests from clients 106can be received. In some embodiments, the user can be prompted toprovide the credential (e.g., a user name and password) directly to thelogon manager, or redirected and prompted to logon with the SSO system102. Once logged on, a cookie or other identifier can be added to theuser's browser indicating that the user is logged-in and can access thelogon manager and view their dashboard. In some embodiments, when a userlogs-in to their device, such as a tablet, laptop, or smartphone, theuser can then access the logon manager without providing an additionalcredential. Once logged-in, the user can request access to applicationsshown on their dashboard without further log-in requirements.

In some embodiments, the web logon manager 112A can receive a request toaccess an application in the dashboard, for example when the userselects an application shown in the dashboard. Requests can be receivedat the front end web logon component 112A over HTTP/HTTPS and can beconverted by front end web logon component 112A to an access protocol(such as Oracle Access Protocol, available from Oracle InternationalCorporation, Redwood Shores, Calif.) and can be forwarded to back endweb logon component 112B. The converted request can include a request,formatted for a web interface, for a policy associated with theapplication and/or for a credential associated with the user. Back endweb logon component 112B can extract the policy and/or credentialrequests and send them to the SSO services 100 through web interface104. The policies and/or credentials can be returned to back end weblogon component 112B through web interface 104. Web logon component 112Bcan generate a response message including the policies and/orcredentials and send the message over the access protocol to web logoncomponent 112A. The web logon manager 112A can launch the application,for example by sending an HTTP request for a URL associated with theapplication. Using the policy(s) associated with the application, theweb logon manager 112A can match a policy to a response received fromthe application. The web logon manager 112A can automatically providethe user credentials to the application according to the policy(s).

FIG. 9 depicts a block diagram of a method 900 of accessing a webapplication through a web logon interface, in accordance with anembodiment of the present invention. At block 902, a request to accessan application can be received through a web logon manager userinterface. In some embodiments, the request can be received over aweb-based interface through a browser application executing on a user'sclient device (such as a desktop or mobile computing device). In someembodiments, the user can navigate to the web logon manager userinterface by entering a URL corresponding to the web logon manager userinterface in the browser application. In some embodiments, the user canautomatically be redirected to the web logon manager user interface uponsending a request for a web page or web application through the browserapplication. The web logon manager user interface can requestcredentials from the user to access the user interface.

At block 904, a policy associated with the application can beidentified. The policy can define access requirements associated withthe application. For example, the policy can define a type of credentialrequired to access the application and can define how the credential isto be provided to the application (e.g., which fields should receive thecredentials). In some embodiments, the policy can be identified by theweb logon manager by generating a policy request message and sending thepolicy request message to an SSO system through a web interface. Atblock 906, user credentials can be identified based on the applicationrequirements. In some embodiments, the web logon manager can identifythe credential based on the received policy. The web logon manager canretrieve the credential by generating a credential request message andsending the credential request message to an SSO system through a webinterface.

At block 908, once the appropriate policy and credential have beenreceived, the web logon manager can automatically provide the usercredentials to the application. In some embodiments, when an incomingweb page response is received from the application, the web logonmanager can use the policy to identify fields of the web page responseto inject the credential and submit the credential to the webapplication. In some embodiments, when the web logon manager receives aform fill policy in response to a policy request, the web logon managercan automatically populate fields in a graphical user interfaceassociated with the application with the user credentials and submit theuser credentials to the application through the graphical userinterface. Upon logon, the web logon manager can verify that the logonwas successful, and return the response web page to the user.

In some embodiments, a user or administrator can add a new applicationto the logon manager. For example, when a new employee is hired, anumber of company-standard and commonly used applications can beprovisioned to the new employee's dashboard. Adding a new applicationcan include receiving a request to add a new application to the logonmanager, the request can include a policy and a credential for the user.The web logon manager can send a request, through a web interface, to adata manager to store the policy and the credential. Once the datamanager confirms that the policy and credential have been successfullystored, the logon manager can add an application icon corresponding tothe new application to the logon manager, such that the icon isdisplayed in the logon manager. In some embodiments, multipleapplications can be added at once, in a batch. Such a request caninclude receiving a request to provision multiple applications for auser, including policies and credentials for each of the applications.The web logon manager can then send multiple requests (or a single batchrequest) to the data manager to store the policy and credential for eachapplication. Once confirmation is received of successful storage, theweb logon manager can add icons corresponding to each of the pluralityof applications to the logon manager, such that the icons are displayedwhen the user logs-in to the logon manager.

In some embodiments, the logon manager interface presents a unified viewof applications associated with different types of credentials. Forexample, each application icon shown in the user's dashboard can bedisplayed together in aggregate. Once a given application icon isselected to launch the corresponding application, the web logon managercan communicate with the SSO system to launch the application using theappropriate credentials. In some embodiments, the user's dashboard canbe sorted to display applications based on the credential type, ordisplay multiple views where a given view shows applications associatedwith one credential type.

As described above, SSO services can be accessed by, and provided to,users through various channels (e.g., through an SSO applicationinstalled in a user's browser, through a web logon manager, or throughother channels). Requests can be communicated to the SSO server 102through one or more web interfaces which provide a standard, clientagnostic, way of providing SSO services.

Web-Based Single Sign-on Services and Access Management

In accordance with an embodiment, single sign-on services, includingcredential management and policy management, can be integrated with aweb-based or cloud-based SSO system through one or more web interfaces.Each SSO service provided by the SSO system can be accessed by a clientthrough the web via the one or more web interfaces, such as a RESTinterface. Traditionally, SSO services were provided locally (e.g.,through an SSO service executing on a local machine or a local network)and were configured to communicate using protocols that provided securetransfer of policy and credential information. However, to access thesesame services from a remote web-based or cloud-based SSO system, whilemaintaining backwards compatibility, presents a complex communicationschallenge. Clients are typically configured to send web requests andreceive web responses over HTTP or HTTPS, whereas SSO service requestsand responses typically use an access protocol (such as network accessprotocol or Oracle access protocol). Embodiments of the presentinvention facilitate tunneling of requests and responses can be tunneledover NAP from the client to the access manager server.

FIG. 10 illustrates an SSO server architecture 1000 integrating singlesign-on services, in accordance with an embodiment of the presentinvention. Single sign-on, whether web-based or desktop-based, requirespolicy management services and credential management services. Asdescribed above, policies define how a single sign-on system interactswith applications and credentials are used to authenticate users to gainaccess to the applications. Embodiments of the present invention aredirected to providing web-based single sign-on. Each single sign-onservice 100 can be exposed using a web interface 104, such as a RESTinterface. As described above, by using a web interface, different typesof clients 106 can access the single sign-on services 100, and newclients can easily be added. In some embodiments, each SSO service 100can be associated with a different web interface. The web interfacesprovide a simply way to create, read, update, and delete (CRUD) policiesand credentials.

Clients 106 can send requests for single sign-on services, for example arequest for policies or credentials, to an SSO system 102 through an SSOgateway 108. As shown in FIG. 10, requests from clients 106 can bereceived by an SSO Gateway 108, through an access agent 110, a web logonmanager interface 112A, and/or SSO application 114. The request can be,e.g., a REST request tunneled over an access protocol (such as NAP orOAP). In some embodiments, a single web interface can be used to accessthe single sign-on services. In some embodiments, each single sign-onservice can be associated with a service-specific web interface.

In some embodiments, when a request is made to the SSO services throughthe access agent, logon manager, or proxy, the requests can be receivedfrom a client as HTTP or HTTPS requests. SSO gateway 108 can include atunnel proxy 1002A which can tunnel the HTTP requests over NAP (NetworkAccess Protocol) or OAP (Oracle Access Protocol) to the SSO server 102.An NAP or OAP connection can be opened between the SSO gateway 108 andan NAP/OAP endpoint 1004 at the SSO server 102. In some embodiments, theNAP/OAP endpoint 1004 can be a web interface that is accessed through adesignated URL. A tunnel proxy 1002B at the SSO server 102 can thenconvert the requests back to HTTP or HTTPS and send the convertedrequests to the appropriate SSO service 100 at the SSO server 102. Insome embodiments, services can register with the tunnel proxy 1002B inorder to receive tunneled requests and send tunneled responses throughthe tunnel proxy. Responses from the SSO server 102 to the requestingclient can be similarly tunneled back (e.g., an HTTP or HTTPS responsegenerated by the requested service 100 can be received by tunnel proxy1002B which can convert the request to NAP/OAP and the tunneled responsecan then be sent to tunnel proxy 1002A through web interface 1004).

For example, a URL can be configured that is tunneled from the SSOgateway 108 to the SSO server 102. In some embodiments, the URL can bemapped to a servlet or JSP page at the SSO server 102 that correspondsto an SSO service 100. When an HTTP/S request is sent to the URL, theHTTP/S request is converted to a NAP/OAP request and is forwarded overan NAP/OAP connection to the SSO server 102. The SSO server 102 endpoint 1004 receives the NAP/OAP request and passes the request to thetunnel proxy 1002B. The tunnel proxy 1002B can convert the NAP/OAPrequest to an HTTP/S request and send the request to the appropriateservice. For example, the tunnel proxy can convert the NAP/OAP requestto an HTTPServletRequest and invoke the appropriate servlet (such as acompiled Servlet from a JSP file in case of JSP). The response can beconverted back to NAP/OAP by the tunnel proxy 1002B and passed back tothe NAP/OAP end point 1004. The NAP/OAP response is then returned to theSSO gateway where tunnel proxy 1002A can convert the NAP/OAP responseback to an HTTP/HTTPS response that is returned to the client, such asthe user's browser.

In some embodiments, requests received through a web interface layer1004 (such as a REST layer) for resources (such as access toapplications, credentials, policies, or other data) can be analyzed todetermine whether the requested resource is protected and whether thereis an authentication cookie included with the request. If anauthentication cookie is not provided, or has expired, and the requestedresource is protected, then the request can be redirected to anauthentication service, such as Oracle Authentication Manager availablefrom Oracle International Corporation, Redwood Shores, Calif. Theauthentication service can request credentials from the user (e.g., ausername and password). When the authentication service receives thecredentials, the authentication service can validate the credentials andif valid, return an authentication cookie to the user's browser. Theresource request can then be redirected to the web interface layer,where the authentication cookie provides access to the requestedresource. In some embodiments, when a user ends their session, eitherthrough a timeout or an affirmative logout, the web interface layer candestroy session information and return the user to a logon screen.

FIGS. 11A and 11B illustrate a policy manager architecture 1100 and acredential manager architecture 1102, in accordance with an embodimentof the present invention. As shown in FIG. 11A, a policy manager 1104can provide centralized access to SSO policy management services 1106,such as storing and retrieving policies across multiple policyrepositories/systems. The policy manager 1104 can be associated with aweb interface 104 (e.g., a REST interface) such that the policy managercan receive requests and send responses over the web. This makes thepolicy manager platform independent, as it is operable to interact withany client that can send and receive web-based messages. In someembodiments, the policy manager 1104 can be used to manage user andadministrative policies. The policy manager 1104 can be configured tosupport different access control types using plug-ins 1106. Each plug-incan include one or more methods for creating, reading, updating, anddeleting policies specific to the plug-ins corresponding policy type. Toadd support for a new access control type, a new plug-in can be providedto the policy manager.

In some embodiments, policy manager 1104 can provide a layer ofabstraction from the particular policy types, e.g., a client need onlyknow how to communicate with the policy manager 1104 through the webinterface 104, and not with each underlying policy type. When a requestis received by the policy manager 1104, the policy manager can determinethe policy type associated with the request and, using a correspondingplugin 1106, generate a policy-type specific request. The policy manager1104 can send the policy type-specific request to a data manager 122. Asfurther described below, data manager 122 provides a layer ofabstraction to the various data sources. The data manager can identifydata responsive to the request and return the identified data to thepolicy manager. For example, a search request from the policy managercan return a list of policies responsive to search criteria includedwith the request (e.g., filters, policy identifiers, types of policies,etc.). In some embodiments, if no criteria are provided then allpolicies can be fetched and returned. When a new policy is added, policymanager 1104 can create an identifier and then associate the new policywith the identifier. In some embodiments, multiple policies can beassociated with the same identifier. The policy manager 1104 can thenpass a list including the identifier and policy to the data manager 122.Similarly, an update operation can include identifiers associated withone or more existing policies and updated policy information. The policymanager 1104 can send the identifier and updated policies to the datamanager 122 which can store the updated policies. Delete requests caninclude a set of identifiers, and the data manager 122 can delete theidentified policies and return status information for the deletion. Insome embodiments, policy management requests can be received from an enduser through a client device and/or from an administrator through anadministration console.

In some embodiments, policy manager 1104 can manage applicationtemplates. Each application template can be an object that includes adefinition of how SSO services are to be provided to a particularapplication. For example, an application template can define how the SSOsystem is to interact with, match, inject, and provide SSO services to aparticular application. A given application template can be associatedwith one or more sub-forms that can each correspond to various matchtypes (e.g., login UI, password change UI, success/failure UIs, methodof interaction, etc.). In some embodiments, a particular applicationtemplates can be associated with many users, and a user can have accessto many application templates. Additionally, in some embodiments, anapplication template can be associated with many credentials. In someembodiments, an application template can be associated with one or moreother policies (e.g., a password policy, a credential sharing policy,etc.).

In some embodiments, policy manager 1104 can manage password policies.As described above, each password policy can be associated with one ormore application templates that share the password policy. Passwordpolicies can be used by provisioning manager 1112 and/or password resetmanager 1114 when establishing or updating a password for anapplication. In some embodiments, a password policy can be used toautomatically generate a password during provisioning and/or passwordreset or can be used to validate passwords received from a user. In someembodiments, policy manager 1104 can manage administration policies thatoverride user or locally deployed settings.

As shown in FIG. 11B, a credential manager 1110 can provide centralizedaccess for end-user credential management across one or more differentcredential types stored in different repositories 120. Credentialmanager 1110 can abstract credential management operations from theclient, simplifying the development of new clients by reducing theamount of logic required. Additionally, the credential manager 1110 isplatform independent and can communicate with any client operable tosend and receive messages over the web.

In some embodiments, a credential manager 1110 can manage storing andretrieving credentials across multiple repositories 120 and providesbackward compatibility to access existing user credentials. Thecredential manager 1110 can enable clients to manage various types ofSSO credentials including delegated and privileged credentials. Throughweb interface 104, the credential manager can publish an API thatprovides CRUD operations for credentials such as get, add, update anddelete. This provides a layer of abstraction from each credential store,e.g., a client need only know how to communicate with the credentialmanager, rather than how to communicate with multiple supportedcredential data store. When the credential manager 1110 receives acredential request through web interface 104, the credential manager cananalyze the request with one or more sub-managers corresponding todifferent types of credentials (such as Privileged Credential Manager1114, Delegated Credential Manager 1118, and SSO Credential Manager1120) to identify the appropriate credential data store and to fulfillthe credential request.

In some embodiments, a credential manager 1110 can receive a credentialsrequest for a given user. The credential manager 1110 can send requeststo each sub-manager 1114, 1118, 1120 to identify credentials associatedwith the user and to return any matching credentials. In someembodiments, a credential manager 1110 can receive a request to get acredential, such as a privileged account credential. The credentialmanager can send a request to get the credential to a correspondingsub-manager (e.g., to add a privileged account credential the credentialmanager can send a request to the Privileged Credential Manager 1114) toget that credential. The corresponding sub-manager can check-out thecredential (e.g., from privileged server 1116), and return thecredential to the credential manager 1110. In some embodiments,sensitive fields of the credential can be encrypted prior to send thecredential to the credential manager 1110.

In some embodiments, when a get credentials operation is received bycredential manager 1110 the credential manager can request a list ofcredentials based on the request (e.g., associated with a useridentified in the request, a credential ID, a credential type, or othercriteria). In some embodiments, if no criteria are specified in therequest, credential manager 1110 can request all credentials associatedwith the requesting user. In some embodiments, credential manager 1110can receive a request to add a credential or credentials for a user orusers. Credential manager 1110 can generate a credential identifier foreach credential and call a corresponding sub-manager, based on the typeof credential to be added. The sub-manager can validate the receivedcredentials and send a request to data manager 122 to store thecredentials in the appropriate data repository 120. A status of eachadded credential can be returned by the data manager. Similarly,credential manager 1110 can receive a request to update credentials. Thecredential manager 1110 can send a request to each correspondingsub-manager, including the updated credentials. The sub-manager canvalidate the updated credentials and send a request to data manager 122to store the updated credentials. An update status can be returned. Insome embodiments, a credential manager 1110 can receive a request todelete a credential. The credential manager 1110 can identify acorresponding sub-manager and send a request to the sub-manager todelete the credential. In some embodiments, if the credential has beendelegated, the delegation can be revoked prior to deletion.

FIG. 12 depicts a block diagram of a method 1200 of providing SSOservices through web-based interfaces, in accordance with an embodimentof the present invention. At block 1202, a request is received for asingle sign-on service. The request can be received from a clientdevice, administration console, an application, or any other entity. Therequest can be received via a web interface associated with the singlesign-on service. In some embodiments, a single web interface may serveas a central entry point for all requests directed to one or more SSOservices. When a request is received, a particular SSO serviceassociated with that request can be identified and the request can beforwarded to an endpoint associated with that SSO service.

In some embodiments, the request can be received in a first protocol bya proxy that converts the request from the first protocol to a secondprotocol and forwards the converted request to the single sign-onservice. For example, the request can be an HTTP/S request and the proxycan tunnel the HTTP/S request over an access protocol such as NAP orOAP. In some embodiments, a second proxy can receive the tunneledrequest and extract the HTTP/S request to be passed to the receiving SSOservice. In some embodiments, responses can be similarly tunneled to bereturned to the requesting client. For example, the second proxy canreceive a response from an SSO service (e.g., including a requestedcredential, policy, verification message, etc.). The response may be anHTTP/S response. The proxy can tunnel the HTTP/S response using NAP,OAP, or similar access protocol, and return the tunneled response to therequesting client via the proxy.

At block 1204, a data request can be sent to a data manager based on therequest to manage a policy or credential. In some embodiments, therequest for an SSO service can be, e.g., a policy management request(such as a request to create, read, update or delete a policy) or acredential management request (such as a request to create, read, updateor delete a credential).

Because different types of policies may be stored in different datasources, accessible through data source-specific interfaces, SSO systemstraditionally only worked with a limited number of policy types. Thislimited the available options for end users or forced end users tosupport multiple application. However, as described above, embodimentsof the present invention provide a policy manager that can receiverequests through a first (generic) interface. The request can specifythe particular policy management operations to be performed (e.g., CRUDoperations) according to the interface. The policy management requestcan be data source agnostic (e.g., the request may not specify where orhow policies are stored or include any data source specific operations).The policy manager can then identify a policy management plug-inassociated with the policy management request and convert the policymanagement request to a format for a second (data source-specific)interface based on the identified policy management plug-in. The policymanager can then generate the data request based on the one or morepolicy management operations.

Similarly, credentials can be stored in various credential stores, eachaccessible through its own interface. This traditionally limited SSOapplications to those using the same type of credential. Embodiments ofthe present invention provide a credential manager that can beconfigured to manage various types of credentials stored in differentcredential stores. When a credential management request is received, itcan be sent to a credential manager. Like the policy manager, thecredential manager can receive requests through a generic interface.This serves as an abstraction layer between the client making thecredential management request and the particular credential store thatcan service the request. In some embodiments, the credential manager canidentify a sub-manager associated with the credential management requestand converts the credential management request to a format for a secondinterface based on the identified sub-manager. The second interface cancorrespond to a particular credential store managed by the sub-manager.The credential manager can then generate the data request based on theone or more policy management operations.

At block 1206, a response is returned via the associated web interface.The response can include data (e.g., a policy or credential) retrievedaccording to the request. In some embodiments, the response can indicatewhether a create, update, or delete operation completed successfully orfailed.

Virtualized Data Storage and Management of Policy and Credential DataSources

As described above, embodiments of the present invention can supportsingle sign-on for one or more different applications that utilizedifferent access types, such as form-fill, federated, protected, andother types. Policies and credentials associated with the differentaccess types can be stored in different types of repositories. Inaccordance with an embodiment, to support different access types througha unified interface, a virtualized data management system is providedthat is agnostic to the actual physical storage (OID, AD, ADAM, Databaseetc.). The data management system can provide an SPI layer to managecredentials and policies. The data management system can also provideAPIs to perform CRUD operations and can manage permissions (such as ACLPermissions and Data Level Permissions), agnostic of the data storecontainer being used. In some embodiments, the data management systemcan use a multi hash map-based cache for faster data access.

In some embodiments, the data management system provides a centralizedrepository through which credentials, policies, administrative services,and other configuration and security services can be maintained. Thisenables users to access and consume SSO services through various clients106. The data management system can present a unified interface todifferent repositories and services, such as Oracle Directory Servers(OID, ODSEE, OUD), Microsoft Active Directory, Microsoft ADAM/AD-LDS,and other LDAP-compliant directories, as well as SQL databases and localor networked file systems. Additionally, the data management isextensible, such that new data sources and services can be integratedwith the data management system by implementing a compatible plugin.

In some embodiments, the data management system can synchronizecredentials stored locally by a client with credentials stored in one ormore credential-specific data stores managed by the data managementsystem. When a synchronization event is triggered (e.g., at startup, orwhen credentials are added, deleted, or updated) the data managementsystem can compare credential data stored in a client cache tocredential data stored in the repositories managed by the datamanagement systems. Credentials can be updated locally at the client(e.g., by the user) or directly at the credential repository (e.g., byan administrator or through a third party credential service). Duringsynchronization, conflicts can be detected between credentials storedlocally and credentials stored in one or more credential data stores. Aconflict policy can define which credential is to be saved. In someembodiments, the most recently updated credential can be saved and anyother credentials can be discarded. In some embodiments, the credentialsstored in the credential data store can be saved and any othercredentials stored locally can be discarded. Synchronization alsomaintains backwards compatibility with desktop-based SSO services.Desktop-based services use locally maintained credentials and policiesto provide SSO services, so keeping the local store in sync with the webbased repositories, the desktop-based SSO services can continue toprovide up to date SSO services.

FIG. 13 illustrates a data manager architecture 1300, in accordance withan embodiment of the present invention. As shown in FIG. 13, a datamanager 122 provides a centralized interface for SSO data managementthat can support one or more different physical storage systems 1302 viaextensible plug-ins 1304. Each plug-in can enable the data requestsreceived from the SSO services to be performed on the correspondingphysical storage system. The data manager is extensible such that it cansupport new types of physical data sources by adding correspondingplug-ins. The data manager is backward compatible with desktop-based SSOservices.

Data manager 122 provides a single interface to enable storing andretrieving policies across multiple repositories 1302. Data requests canbe received by the data manager 122 through a single API that does notrequire specific repository information or repository-specificoperations. Instead, the data manager 122 can identify the appropriaterepository for the request and send a request to the appropriaterepository through a corresponding plug-in 1304. In some embodiments,the data manager 122 provides an SPI layer that interfaces with eachplug-in. The data manager 122 exposes a unified interface for CRUDoperations related to Policy, Credential and Provisioning Data.

The SPI Layer can auto initialize each plug-in instance based on thetype of CRUD Request. In some embodiments, data manager 122 can providea generic interface which is used to perform CRUD operations withoutspecifying the underlying data store 1202. In some embodiments, ageneric interface can be provided for each type of operation (e.g.,credential, policy, and provisioning operations). When a request isreceived through the generic interface, the data manager 122 canidentify data store specific operations and connection informationthrough configuration information maintained by the SSO system 102(e.g., by data manager 122). The data manager 122 can then initializethe corresponding plug-in to communicate with the data store.

In some embodiments, when a plug-in instance is invoked for the firsttime and initialization happens, a Context Object Pool can be createdfor the Data Store. This can provide High Availability and threadsafety. For each CRUD operation a separate context object can beassigned from the pool and returned back to the pool once the operationis completed. The Data Manager 122 can us connection pooling (e.g.,provided by a JNDI service provider) and the context pooling to saveresources by making a pool of connections when the application startsup, and reducing the time needed to create a connection or todisconnect. Additionally, by initiating a connection pool, management ofconnections to the data store can be simplified as connection creation,max number of connections for an application, max idle time for aconnection, and other configuration details can be delegated to aConnection Pool Manager.

In some embodiments, one or more hash maps can be used by the datamanager 122 to improve performance when looking up policies andcredentials stored across the various data repositories 1302. In someembodiments, one hash map can map Policy Type to an identifier, and apolicy object. Another hash map can map a Policy Name to a policyreference. Another hash map can map a key to a policy object. Anotherhash map can map a value to a list of policy objects.

In some embodiments, create, read update and delete (CRUD) operationscan be supported for credential, policy, and provisioning services. EachCRUD operation can be exposed by data manager 122 through a webinterface. For example, credential operations can include creating a newcredential for a specified object (e.g., an application or service),reading (e.g., retrieving) a credential associated with a user and atleast one application, updating a specified credential (e.g., modifyingthe credential or providing a new credential), and deleting a credentialfor a specified object. Similar operations can be provided for policyand provisioning services.

In some embodiments, the data manager 122 can support CRUD operationsperformed on policy data, including: Application Templates, PasswordPolicies, Credential Sharing Groups, and administrative data. In someembodiments, data manager 122 can further support CRUD operations onCredential data, Provisioning data (e.g., Instructions/Keys), UserSettings, Data Management settings, User Secrets (UAM), Encryption Keys(UAM), and Enrollment Credentials (UAM).

FIG. 14 depicts a block diagram of a method 1400 of managing credentialsstored across multiple data stores, in accordance with an embodiment ofthe present invention. At block 1402, an extensible data manager canprovide a unified view of one or more storage systems to one or moresingle sign-on services. In some embodiments, each single sign-onservice is associated with a web interface.

At block 1404, a data request can be received at the extensible datamanager for a credential from a single sign-on service. The extensibledata manager can act as an abstraction layer for the one or more storagesystems, such that requests can be storage system agnostic. For example,the data request can include criteria that can be used to identify therequested credential or credentials. The criteria may be broad enough tocorrespond to different types of credentials. Under previous systems, auser would have to separately search different credential stores formatching credentials. However, in accordance with an embodiment of thepresent invention, the data manager can receive one request and searchacross multiple credential stores.

At block 1406, at least one storage system associated with the requestcan be identified. For example, based on criteria included with therequest, such as a credential ID, credential type, or other criteria,the data manager can identify one or more corresponding storage systems.In some embodiments, the data manager can use a hash map to identifyrelevant storage systems using the criteria.

At block 1408, a storage system plug-in corresponding to each of the atleast one storage system can be identified. The data manager can includean SPI layer through which a number of storage systems can interface byproviding a plug-in. Each plug-in can convert data requests received atthe data manager through the first (e.g., generic) interface, to becompatible with the plug-in's corresponding storage system. In someembodiments, support for new storage systems can be provided by adding aplug-in to the data manager. The data manager can receive a storagesystem plug-in associated with the new storage system from anadministrator. In some embodiments, the plug-in can implement the SPIprovided by the data manager. The data manager can verify the plug-in(e.g., ensure that any required methods or configuration files areprovided) and then add the storage system plug-in to SPI layer.

At block 1410, data associated with the data request can be retrievedfrom the storage system using the storage system plug-in. In someembodiments, the converted data request can then be sent to the storagesystem through a second interface (specific to the storage system) tocreate, read, update, or delete data associated with the data request.The retrieved data can include a requested credential or policy, orverification of the successful completion or failure of a create,update, or delete operation.

At block 1412, the requested data can be returned to the SSO service. Insome embodiments, the requested data can include one or more credentialsmatching a search request. In some embodiments, the requested data caninclude a verification of the success or failure of a create, update, ordelete operation. In some embodiments, the data manager can receive aresponse from the storage system through the second (storagesystem-specific) interface, including the credential. The data managercan encrypt at least a portion of the credential and reformat theresponse based on the first interface before returning the responsethrough the first interface.

In some embodiments, the data manager can also receive data requestsrelated to a policy associated with an application. The data manager canidentify at least one storage system associated with the request and atleast one storage system plug-in corresponding to the at least onestorage system. The data manager can then create, read, update, ordelete one or more policies associated with the application from the atleast one storage system through the at least one storage systemplug-in. In some embodiments, the data manager can convert the requestfrom the first (e.g., generic) interface to a second (e.g., policystore-specific) interface and send the converted data request to thestorage system through the second interface to retrieve at least onepolicy responsive to the second data request. Responses can be similarlyreformatted from the second interface to the first interface beforereturning the response to the requesting application.

FIG. 15 depicts a simplified diagram of a distributed system 1500 forimplementing one of the embodiments. In the illustrated embodiment,distributed system 1500 includes one or more client computing devices1502, 1504, 1506, and 1508, which are configured to execute and operatea client application such as a web browser, proprietary client (e.g.,Oracle Forms), or the like over one or more network(s) 1510. Server 1512may be communicatively coupled with remote client computing devices1502, 1504, 1506, and 1508 via network 1510.

In various embodiments, server 1512 may be adapted to run one or moreservices or software applications provided by one or more of thecomponents of the system. In some embodiments, these services may beoffered as web-based or cloud services or under a Software as a Service(SaaS) model to the users of client computing devices 1502, 1504, 1506,and/or 1508. Users operating client computing devices 1502, 1504, 1506,and/or 1508 may in turn utilize one or more client applications tointeract with server 1512 to utilize the services provided by thesecomponents.

In the configuration depicted in the figure, the software components1518, 1520 and 1522 of system 1500 are shown as being implemented onserver 1512. In other embodiments, one or more of the components ofsystem 1500 and/or the services provided by these components may also beimplemented by one or more of the client computing devices 1502, 1504,1506, and/or 1508. Users operating the client computing devices may thenutilize one or more client applications to use the services provided bythese components. These components may be implemented in hardware,firmware, software, or combinations thereof. It should be appreciatedthat various different system configurations are possible, which may bedifferent from distributed system 1500. The embodiment shown in thefigure is thus one example of a distributed system for implementing anembodiment system and is not intended to be limiting.

Client computing devices 1502, 1504, 1506, and/or 1508 may be portablehandheld devices (e.g., an iPhone®, cellular telephone, an iPad®,computing tablet, a personal digital assistant (PDA)) or wearabledevices (e.g., a Google Glass® head mounted display), running softwaresuch as Microsoft Windows Mobile®, and/or a variety of mobile operatingsystems such as iOS, Windows Phone, Android, BlackBerry 10, Palm OS, andthe like, and being Internet, e-mail, short message service (SMS),Blackberry®, or other communication protocol enabled. The clientcomputing devices can be general purpose personal computers including,by way of example, personal computers and/or laptop computers runningvarious versions of Microsoft Windows®, Apple Macintosh®, and/or Linuxoperating systems. The client computing devices can be workstationcomputers running any of a variety of commercially-available UNIX® orUNIX-like operating systems, including without limitation the variety ofGNU/Linux operating systems, such as for example, Google Chrome OS.Alternatively, or in addition, client computing devices 1502, 1504,1506, and 1508 may be any other electronic device, such as a thin-clientcomputer, an Internet-enabled gaming system (e.g., a Microsoft Xboxgaming console with or without a Kinect® gesture input device), and/or apersonal messaging device, capable of communicating over network(s)1510.

Although exemplary distributed system 1500 is shown with four clientcomputing devices, any number of client computing devices may besupported. Other devices, such as devices with sensors, etc., mayinteract with server 1512.

Network(s) 1510 in distributed system 1500 may be any type of networkfamiliar to those skilled in the art that can support datacommunications using any of a variety of commercially-availableprotocols, including without limitation TCP/IP (transmission controlprotocol/Internet protocol), SNA (systems network architecture), IPX(Internet packet exchange), AppleTalk, and the like. Merely by way ofexample, network(s) 1510 can be a local area network (LAN), such as onebased on Ethernet, Token-Ring and/or the like. Network(s) 1510 can be awide-area network and the Internet. It can include a virtual network,including without limitation a virtual private network (VPN), anintranet, an extranet, a public switched telephone network (PSTN), aninfra-red network, a wireless network (e.g., a network operating underany of the Institute of Electrical and Electronics (IEEE) 802.11 suiteof protocols, Bluetooth®, and/or any other wireless protocol); and/orany combination of these and/or other networks.

Server 1512 may be composed of one or more general purpose computers,specialized server computers (including, by way of example, PC (personalcomputer) servers, UNIX® servers, mid-range servers, mainframecomputers, rack-mounted servers, etc.), server farms, server clusters,or any other appropriate arrangement and/or combination. In variousembodiments, server 1512 may be adapted to run one or more services orsoftware applications described in the foregoing disclosure. Forexample, server 1512 may correspond to a server for performingprocessing described above according to an embodiment of the presentdisclosure.

Server 1512 may run an operating system including any of those discussedabove, as well as any commercially available server operating system.Server 1512 may also run any of a variety of additional serverapplications and/or mid-tier applications, including HTTP (hypertexttransport protocol) servers, FTP (file transfer protocol) servers, CGI(common gateway interface) servers, JAVA® servers, database servers, andthe like. Exemplary database servers include without limitation thosecommercially available from Oracle, Microsoft, Sybase, IBM(International Business Machines), and the like.

In some implementations, server 1512 may include one or moreapplications to analyze and consolidate data feeds and/or event updatesreceived from users of client computing devices 1502, 1504, 1506, and1508. As an example, data feeds and/or event updates may include, butare not limited to, Twitter® feeds, Facebook® updates or real-timeupdates received from one or more third party information sources andcontinuous data streams, which may include real-time events related tosensor data applications, financial tickers, network performancemeasuring tools (e.g., network monitoring and traffic managementapplications), clickstream analysis tools, automobile trafficmonitoring, and the like. Server 1512 may also include one or moreapplications to display the data feeds and/or real-time events via oneor more display devices of client computing devices 1502, 1504, 1506,and 1508.

Distributed system 1500 may also include one or more databases 1514 and1516. Databases 1514 and 1516 may reside in a variety of locations. Byway of example, one or more of databases 1514 and 1516 may reside on anon-transitory storage medium local to (and/or resident in) server 1512.Alternatively, databases 1514 and 1516 may be remote from server 1512and in communication with server 1512 via a network-based or dedicatedconnection. In one set of embodiments, databases 1514 and 1516 mayreside in a storage-area network (SAN). Similarly, any necessary filesfor performing the functions attributed to server 1512 may be storedlocally on server 1512 and/or remotely, as appropriate. In one set ofembodiments, databases 1514 and 1516 may include relational databases,such as databases provided by Oracle, that are adapted to store, update,and retrieve data in response to SQL-formatted commands.

FIG. 16 is a simplified block diagram of one or more components of asystem environment 1600 by which services provided by one or morecomponents of an embodiment system may be offered as cloud services, inaccordance with an embodiment of the present disclosure. In theillustrated embodiment, system environment 1600 includes one or moreclient computing devices 1604, 1606, and 1608 that may be used by usersto interact with a cloud infrastructure system 1602 that provides cloudservices. The client computing devices may be configured to operate aclient application such as a web browser, a proprietary clientapplication (e.g., Oracle Forms), or some other application, which maybe used by a user of the client computing device to interact with cloudinfrastructure system 1602 to use services provided by cloudinfrastructure system 1602.

It should be appreciated that cloud infrastructure system 1602 depictedin the figure may have other components than those depicted. Further,the embodiment shown in the figure is only one example of a cloudinfrastructure system that may incorporate an embodiment of theinvention. In some other embodiments, cloud infrastructure system 1602may have more or fewer components than shown in the figure, may combinetwo or more components, or may have a different configuration orarrangement of components.

Client computing devices 1604, 1606, and 1608 may be devices similar tothose described above for 1502, 1504, 1506, and 1508.

Although exemplary system environment 1600 is shown with three clientcomputing devices, any number of client computing devices may besupported. Other devices such as devices with sensors, etc. may interactwith cloud infrastructure system 1602.

Network(s) 1610 may facilitate communications and exchange of databetween clients 1604, 1606, and 1608 and cloud infrastructure system1602. Each network may be any type of network familiar to those skilledin the art that can support data communications using any of a varietyof commercially-available protocols, including those described above fornetwork(s) 1510.

Cloud infrastructure system 1602 may comprise one or more computersand/or servers that may include those described above for server 1512.

In certain embodiments, services provided by the cloud infrastructuresystem may include a host of services that are made available to usersof the cloud infrastructure system on demand, such as online datastorage and backup solutions, Web-based e-mail services, hosted officesuites and document collaboration services, database processing, managedtechnical support services, and the like. Services provided by the cloudinfrastructure system can dynamically scale to meet the needs of itsusers. A specific instantiation of a service provided by cloudinfrastructure system is referred to herein as a “service instance.” Ingeneral, any service made available to a user via a communicationnetwork, such as the Internet, from a cloud service provider's system isreferred to as a “cloud service.” Typically, in a public cloudenvironment, servers and systems that make up the cloud serviceprovider's system are different from the customer's own on-premisesservers and systems. For example, a cloud service provider's system mayhost an application, and a user may, via a communication network such asthe Internet, on demand, order and use the application.

In some examples, a service in a computer network cloud infrastructuremay include protected computer network access to storage, a hosteddatabase, a hosted web server, a software application, or other serviceprovided by a cloud vendor to a user, or as otherwise known in the art.For example, a service can include password-protected access to remotestorage on the cloud through the Internet. As another example, a servicecan include a web service-based hosted relational database and ascript-language middleware engine for private use by a networkeddeveloper. As another example, a service can include access to an emailsoftware application hosted on a cloud vendor's web site.

In certain embodiments, cloud infrastructure system 1602 may include asuite of applications, middleware, and database service offerings thatare delivered to a customer in a self-service, subscription-based,elastically scalable, reliable, highly available, and secure manner. Anexample of such a cloud infrastructure system is the Oracle Public Cloudprovided by the present assignee.

In various embodiments, cloud infrastructure system 1602 may be adaptedto automatically provision, manage and track a customer's subscriptionto services offered by cloud infrastructure system 1602. Cloudinfrastructure system 1602 may provide the cloud services via differentdeployment models. For example, services may be provided under a publiccloud model in which cloud infrastructure system 1602 is owned by anorganization selling cloud services (e.g., owned by Oracle) and theservices are made available to the general public or different industryenterprises. As another example, services may be provided under aprivate cloud model in which cloud infrastructure system 1602 isoperated solely for a single organization and may provide services forone or more entities within the organization. The cloud services mayalso be provided under a community cloud model in which cloudinfrastructure system 1602 and the services provided by cloudinfrastructure system 1602 are shared by several organizations in arelated community. The cloud services may also be provided under ahybrid cloud model, which is a combination of two or more differentmodels.

In some embodiments, the services provided by cloud infrastructuresystem 1602 may include one or more services provided under Software asa Service (SaaS) category, Platform as a Service (PaaS) category,Infrastructure as a Service (IaaS) category, or other categories ofservices including hybrid services. A customer, via a subscriptionorder, may order one or more services provided by cloud infrastructuresystem 1602. Cloud infrastructure system 1602 then performs processingto provide the services in the customer's subscription order.

In some embodiments, the services provided by cloud infrastructuresystem 1602 may include, without limitation, application services,platform services and infrastructure services. In some examples,application services may be provided by the cloud infrastructure systemvia a SaaS platform. The SaaS platform may be configured to providecloud services that fall under the SaaS category. For example, the SaaSplatform may provide capabilities to build and deliver a suite ofon-demand applications on an integrated development and deploymentplatform. The SaaS platform may manage and control the underlyingsoftware and infrastructure for providing the SaaS services. Byutilizing the services provided by the SaaS platform, customers canutilize applications executing on the cloud infrastructure system.Customers can acquire the application services without the need forcustomers to purchase separate licenses and support. Various differentSaaS services may be provided. Examples include, without limitation,services that provide solutions for sales performance management,enterprise integration, and business flexibility for largeorganizations.

In some embodiments, platform services may be provided by the cloudinfrastructure system via a PaaS platform. The PaaS platform may beconfigured to provide cloud services that fall under the PaaS category.Examples of platform services may include without limitation servicesthat enable organizations (such as Oracle) to consolidate existingapplications on a shared, common architecture, as well as the ability tobuild new applications that leverage the shared services provided by theplatform. The PaaS platform may manage and control the underlyingsoftware and infrastructure for providing the PaaS services. Customerscan acquire the PaaS services provided by the cloud infrastructuresystem without the need for customers to purchase separate licenses andsupport. Examples of platform services include, without limitation,Oracle Java Cloud Service (JCS), Oracle Database Cloud Service (DBCS),and others.

By utilizing the services provided by the PaaS platform, customers canemploy programming languages and tools supported by the cloudinfrastructure system and also control the deployed services. In someembodiments, platform services provided by the cloud infrastructuresystem may include database cloud services, middleware cloud services(e.g., Oracle Fusion Middleware services), and Java cloud services. Inone embodiment, database cloud services may support shared servicedeployment models that enable organizations to pool database resourcesand offer customers a Database as a Service in the form of a databasecloud. Middleware cloud services may provide a platform for customers todevelop and deploy various business applications, and Java cloudservices may provide a platform for customers to deploy Javaapplications, in the cloud infrastructure system.

Various different infrastructure services may be provided by an IaaSplatform in the cloud infrastructure system. The infrastructure servicesfacilitate the management and control of the underlying computingresources, such as storage, networks, and other fundamental computingresources for customers utilizing services provided by the SaaS platformand the PaaS platform.

In certain embodiments, cloud infrastructure system 1602 may alsoinclude infrastructure resources 1630 for providing the resources usedto provide various services to customers of the cloud infrastructuresystem. In one embodiment, infrastructure resources 1630 may includepre-integrated and optimized combinations of hardware, such as servers,storage, and networking resources to execute the services provided bythe PaaS platform and the SaaS platform.

In some embodiments, resources in cloud infrastructure system 1602 maybe shared by multiple users and dynamically re-allocated per demand.Additionally, resources may be allocated to users in different timezones. For example, cloud infrastructure system 1630 may enable a firstset of users in a first time zone to utilize resources of the cloudinfrastructure system for a specified number of hours and then enablethe re-allocation of the same resources to another set of users locatedin a different time zone, thereby maximizing the utilization ofresources.

In certain embodiments, a number of internal shared services 1632 may beprovided that are shared by different components or modules of cloudinfrastructure system 1602 and by the services provided by cloudinfrastructure system 1602. These internal shared services may include,without limitation, a security and identity service, an integrationservice, an enterprise repository service, an enterprise managerservice, a virus scanning and white list service, a high availability,backup and recovery service, service for enabling cloud support, anemail service, a notification service, a file transfer service, and thelike.

In certain embodiments, cloud infrastructure system 1602 may providecomprehensive management of cloud services (e.g., SaaS, PaaS, and IaaSservices) in the cloud infrastructure system. In one embodiment, cloudmanagement functionality may include capabilities for provisioning,managing and tracking a customer's subscription received by cloudinfrastructure system 1602, and the like.

In one embodiment, as depicted in the figure, cloud managementfunctionality may be provided by one or more modules, such as an ordermanagement module 1620, an order orchestration module 1622, an orderprovisioning module 1624, an order management and monitoring module1626, and an identity management module 1628. These modules may includeor be provided using one or more computers and/or servers, which may begeneral purpose computers, specialized server computers, server farms,server clusters, or any other appropriate arrangement and/orcombination.

In exemplary operation 1634, a customer using a client device, such asclient device 1604, 1606 or 1608, may interact with cloud infrastructuresystem 1602 by requesting one or more services provided by cloudinfrastructure system 1602 and placing an order for a subscription forone or more services offered by cloud infrastructure system 1602. Incertain embodiments, the customer may access a cloud User Interface(UI), cloud UI 1612, cloud UI 1614 and/or cloud UI 1616 and place asubscription order via these UIs. The order information received bycloud infrastructure system 1602 in response to the customer placing anorder may include information identifying the customer and one or moreservices offered by the cloud infrastructure system 1602 that thecustomer intends to subscribe to.

After an order has been placed by the customer, the order information isreceived via the cloud UIs, 1612, 1614 and/or 1616.

At operation 1636, the order is stored in order database 1618. Orderdatabase 1618 can be one of several databases operated by cloudinfrastructure system 1618 and operated in conjunction with other systemelements.

At operation 1638, the order information is forwarded to an ordermanagement module 1620. In some instances, order management module 1620may be configured to perform billing and accounting functions related tothe order, such as verifying the order, and upon verification, bookingthe order.

At operation 1640, information regarding the order is communicated to anorder orchestration module 1622. Order orchestration module 1622 mayutilize the order information to orchestrate the provisioning ofservices and resources for the order placed by the customer. In someinstances, order orchestration module 1622 may orchestrate theprovisioning of resources to support the subscribed services using theservices of order provisioning module 1624.

In certain embodiments, order orchestration module 1622 enables themanagement of business processes associated with each order and appliesbusiness logic to determine whether an order should proceed toprovisioning. At operation 1642, upon receiving an order for a newsubscription, order orchestration module 1622 sends a request to orderprovisioning module 1624 to allocate resources and configure thoseresources needed to fulfill the subscription order. Order provisioningmodule 1624 enables the allocation of resources for the services orderedby the customer. Order provisioning module 1624 provides a level ofabstraction between the cloud services provided by cloud infrastructuresystem 1600 and the physical implementation layer that is used toprovision the resources for providing the requested services. Orderorchestration module 1622 may thus be isolated from implementationdetails, such as whether or not services and resources are actuallyprovisioned on the fly or pre-provisioned and only allocated/assignedupon request.

At operation 1644, once the services and resources are provisioned, anotification of the provided service may be sent to customers on clientdevices 1604, 1606 and/or 1608 by order provisioning module 1624 ofcloud infrastructure system 1602.

At operation 1646, the customer's subscription order may be managed andtracked by an order management and monitoring module 1626. In someinstances, order management and monitoring module 1626 may be configuredto collect usage statistics for the services in the subscription order,such as the amount of storage used, the amount data transferred, thenumber of users, and the amount of system up time and system down time.

In certain embodiments, cloud infrastructure system 1600 may include anidentity management module 1628. Identity management module 1628 may beconfigured to provide identity services, such as access management andauthorization services in cloud infrastructure system 1600. In someembodiments, identity management module 1628 may control informationabout customers who wish to utilize the services provided by cloudinfrastructure system 1602. Such information can include informationthat authenticates the identities of such customers and information thatdescribes which actions those customers are authorized to performrelative to various system resources (e.g., files, directories,applications, communication ports, memory segments, etc.) Identitymanagement module 1628 may also include the management of descriptiveinformation about each customer and about how and by whom thatdescriptive information can be accessed and modified.

FIG. 17 illustrates an exemplary computer system 1700, in which variousembodiments of the present invention may be implemented. The system 1700may be used to implement any of the computer systems described above. Asshown in the figure, computer system 1700 includes a processing unit1704 that communicates with a number of peripheral subsystems via a bussubsystem 1702. These peripheral subsystems may include a processingacceleration unit 1706, an I/O subsystem 1708, a storage subsystem 1718and a communications subsystem 1724. Storage subsystem 1718 includestangible computer-readable storage media 1722 and a system memory 1710.

Bus subsystem 1702 provides a mechanism for letting the variouscomponents and subsystems of computer system 1700 communicate with eachother as intended. Although bus subsystem 1702 is shown schematically asa single bus, alternative embodiments of the bus subsystem may utilizemultiple buses. Bus subsystem 1702 may be any of several types of busstructures including a memory bus or memory controller, a peripheralbus, and a local bus using any of a variety of bus architectures. Forexample, such architectures may include an Industry StandardArchitecture (ISA) bus, Micro Channel Architecture (MCA) bus, EnhancedISA (EISA) bus, Video Electronics Standards Association (VESA) localbus, and Peripheral Component Interconnect (PCI) bus, which can beimplemented as a Mezzanine bus manufactured to the IEEE P1386.1standard.

Processing unit 1704, which can be implemented as one or more integratedcircuits (e.g., a conventional microprocessor or microcontroller),controls the operation of computer system 1700. One or more processorsmay be included in processing unit 1704. These processors may includesingle core or multicore processors. In certain embodiments, processingunit 1704 may be implemented as one or more independent processing units1732 and/or 1734 with single or multicore processors included in eachprocessing unit. In other embodiments, processing unit 1704 may also beimplemented as a quad-core processing unit formed by integrating twodual-core processors into a single chip.

In various embodiments, processing unit 1704 can execute a variety ofprograms in response to program code and can maintain multipleconcurrently executing programs or processes. At any given time, some orall of the program code to be executed can be resident in processor(s)1704 and/or in storage subsystem 1718. Through suitable programming,processor(s) 1704 can provide various functionalities described above.Computer system 1700 may additionally include a processing accelerationunit 1706, which can include a digital signal processor (DSP), aspecial-purpose processor, and/or the like.

I/O subsystem 1708 may include user interface input devices and userinterface output devices. User interface input devices may include akeyboard, pointing devices such as a mouse or trackball, a touchpad ortouch screen incorporated into a display, a scroll wheel, a click wheel,a dial, a button, a switch, a keypad, audio input devices with voicecommand recognition systems, microphones, and other types of inputdevices. User interface input devices may include, for example, motionsensing and/or gesture recognition devices such as the Microsoft Kinect®motion sensor that enables users to control and interact with an inputdevice, such as the Microsoft Xbox® 360 game controller, through anatural user interface using gestures and spoken commands. Userinterface input devices may also include eye gesture recognition devicessuch as the Google Glass® blink detector that detects eye activity(e.g., ‘blinking’ while taking pictures and/or making a menu selection)from users and transforms the eye gestures as input into an input device(e.g., Google Glass®). Additionally, user interface input devices mayinclude voice recognition sensing devices that enable users to interactwith voice recognition systems (e.g., Siri® navigator), through voicecommands.

User interface input devices may also include, without limitation, threedimensional (3D) mice, joysticks or pointing sticks, gamepads andgraphic tablets, and audio/visual devices such as speakers, digitalcameras, digital camcorders, portable media players, webcams, imagescanners, fingerprint scanners, barcode reader 3D scanners, 3D printers,laser rangefinders, and eye gaze tracking devices. Additionally, userinterface input devices may include, for example, medical imaging inputdevices such as computed tomography, magnetic resonance imaging,position emission tomography, medical ultrasonography devices. Userinterface input devices may also include, for example, audio inputdevices such as MIDI keyboards, digital musical instruments and thelike.

User interface output devices may include a display subsystem, indicatorlights, or non-visual displays such as audio output devices, etc. Thedisplay subsystem may be a cathode ray tube (CRT), a flat-panel device,such as that using a liquid crystal display (LCD) or plasma display, aprojection device, a touch screen, and the like. In general, use of theterm “output device” is intended to include all possible types ofdevices and mechanisms for outputting information from computer system1700 to a user or other computer. For example, user interface outputdevices may include, without limitation, a variety of display devicesthat visually convey text, graphics and audio/video information such asmonitors, printers, speakers, headphones, automotive navigation systems,plotters, voice output devices, and modems.

Computer system 1700 may comprise a storage subsystem 1718 thatcomprises software elements, shown as being currently located within asystem memory 1710. System memory 1710 may store program instructionsthat are loadable and executable on processing unit 1704, as well asdata generated during the execution of these programs.

Depending on the configuration and type of computer system 1700, systemmemory 1710 may be volatile (such as random access memory (RAM)) and/ornon-volatile (such as read-only memory (ROM), flash memory, etc.) TheRAM typically contains data and/or program modules that are immediatelyaccessible to and/or presently being operated and executed by processingunit 1704. In some implementations, system memory 1710 may includemultiple different types of memory, such as static random access memory(SRAM) or dynamic random access memory (DRAM). In some implementations,a basic input/output system (BIOS), containing the basic routines thathelp to transfer information between elements within computer system1700, such as during start-up, may typically be stored in the ROM. Byway of example, and not limitation, system memory 1710 also illustratesapplication programs 1712, which may include client applications, Webbrowsers, mid-tier applications, relational database management systems(RDBMS), etc., program data 1714, and an operating system 1716. By wayof example, operating system 1716 may include various versions ofMicrosoft Windows®, Apple Macintosh®, and/or Linux operating systems, avariety of commercially-available UNIX® or UNIX-like operating systems(including without limitation the variety of GNU/Linux operatingsystems, the Google Chrome® OS, and the like) and/or mobile operatingsystems such as iOS, Windows® Phone, Android® OS, BlackBerry® 17 OS, andPalm® OS operating systems.

Storage subsystem 1718 may also provide a tangible computer-readablestorage medium for storing the basic programming and data constructsthat provide the functionality of some embodiments. Software (programs,code modules, instructions) that when executed by a processor providethe functionality described above may be stored in storage subsystem1718. These software modules or instructions may be executed byprocessing unit 1704. Storage subsystem 1718 may also provide arepository for storing data used in accordance with the presentinvention.

Storage subsystem 1700 may also include a computer-readable storagemedia reader 1720 that can further be connected to computer-readablestorage media 1722. Together and, optionally, in combination with systemmemory 1710, computer-readable storage media 1722 may comprehensivelyrepresent remote, local, fixed, and/or removable storage devices plusstorage media for temporarily and/or more permanently containing,storing, transmitting, and retrieving computer-readable information.

Computer-readable storage media 1722 containing code, or portions ofcode, can also include any appropriate media known or used in the art,including storage media and communication media, such as but not limitedto, volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage and/or transmissionof information. This can include tangible computer-readable storagemedia such as RAM, ROM, electronically erasable programmable ROM(EEPROM), flash memory or other memory technology, CD-ROM, digitalversatile disk (DVD), or other optical storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or other tangible computer readable media. This can also includenontangible computer-readable media, such as data signals, datatransmissions, or any other medium which can be used to transmit thedesired information and which can be accessed by computing system 1700.

By way of example, computer-readable storage media 1722 may include ahard disk drive that reads from or writes to non-removable, nonvolatilemagnetic media, a magnetic disk drive that reads from or writes to aremovable, nonvolatile magnetic disk, and an optical disk drive thatreads from or writes to a removable, nonvolatile optical disk such as aCD ROM, DVD, and Blu-Ray® disk, or other optical media.Computer-readable storage media 1722 may include, but is not limited to,Zip® drives, flash memory cards, universal serial bus (USB) flashdrives, secure digital (SD) cards, DVD disks, digital video tape, andthe like. Computer-readable storage media 1722 may also include,solid-state drives (SSD) based on non-volatile memory such asflash-memory based SSDs, enterprise flash drives, solid state ROM, andthe like, SSDs based on volatile memory such as solid state RAM, dynamicRAM, static RAM, DRAM-based SSDs, magnetoresistive RAM (MRAM) SSDs, andhybrid SSDs that use a combination of DRAM and flash memory based SSDs.The disk drives and their associated computer-readable media may providenon-volatile storage of computer-readable instructions, data structures,program modules, and other data for computer system 1700.

Communications subsystem 1724 provides an interface to other computersystems and networks. Communications subsystem 1724 serves as aninterface for receiving data from and transmitting data to other systemsfrom computer system 1700. For example, communications subsystem 1724may enable computer system 1700 to connect to one or more devices viathe Internet. In some embodiments communications subsystem 1724 caninclude radio frequency (RF) transceiver components for accessingwireless voice and/or data networks (e.g., using cellular telephonetechnology, advanced data network technology, such as 3G, 4G or EDGE(enhanced data rates for global evolution), WiFi (IEEE 802.11 familystandards, or other mobile communication technologies, or anycombination thereof), global positioning system (GPS) receivercomponents, and/or other components. In some embodiments communicationssubsystem 1724 can provide wired network connectivity (e.g., Ethernet)in addition to or instead of a wireless interface.

In some embodiments, communications subsystem 1724 may also receiveinput communication in the form of structured and/or unstructured datafeeds 1726, event streams 1728, event updates 1730, and the like onbehalf of one or more users who may use computer system 1700.

By way of example, communications subsystem 1724 may be configured toreceive data feeds 1726 in real-time from users of social networksand/or other communication services such as Twitter® feeds, Facebook®updates, web feeds such as Rich Site Summary (RSS) feeds, and/orreal-time updates from one or more third party information sources.

Additionally, communications subsystem 1724 may also be configured toreceive data in the form of continuous data streams, which may includeevent streams 1728 of real-time events and/or event updates 1730, thatmay be continuous or unbounded in nature with no explicit end. Examplesof applications that generate continuous data may include, for example,sensor data applications, financial tickers, network performancemeasuring tools (e.g. network monitoring and traffic managementapplications), clickstream analysis tools, automobile trafficmonitoring, and the like.

Communications subsystem 1724 may also be configured to output thestructured and/or unstructured data feeds 1726, event streams 1728,event updates 1730, and the like to one or more databases that may be incommunication with one or more streaming data source computers coupledto computer system 1700.

Computer system 1700 can be one of various types, including a handheldportable device (e.g., an iPhone® cellular phone, an iPad® computingtablet, a PDA), a wearable device (e.g., a Google Glass® head mounteddisplay), a PC, a workstation, a mainframe, a kiosk, a server rack, orany other data processing system.

Due to the ever-changing nature of computers and networks, thedescription of computer system 1700 depicted in the figure is intendedonly as a specific example. Many other configurations having more orfewer components than the system depicted in the figure are possible.For example, customized hardware might also be used and/or particularelements might be implemented in hardware, firmware, software (includingapplets), or a combination. Further, connection to other computingdevices, such as network input/output devices, may be employed. Based onthe disclosure and teachings provided herein, a person of ordinary skillin the art will appreciate other ways and/or methods to implement thevarious embodiments.

In the foregoing specification, aspects of the invention are describedwith reference to specific embodiments thereof, but those skilled in theart will recognize that the invention is not limited thereto. Variousfeatures and aspects of the above-described invention may be usedindividually or jointly. Further, embodiments can be utilized in anynumber of environments and applications beyond those described hereinwithout departing from the broader spirit and scope of thespecification. The specification and drawings are, accordingly, to beregarded as illustrative rather than restrictive.

What is claimed is:
 1. A method comprising: based on a response receivedfrom an application, modifying, by a computer system, the response toinclude one or more computer-executable instructions, wherein theresponse is based on a first request by a device to access theapplication; and sending, by the computer system, the modified responseto the device; wherein execution of the one or more computer-executableinstructions on the device causes the device to: obtain, from thecomputer system, a plurality of credentials associated with a user ofthe device; invoke an automated logon chooser process that, until asuccessful logon is detected, for each credential of the plurality ofcredentials, submits the credential to the application for logon; and inresponse to detecting the successful logon to the application, send, tothe computer system, a second request to update a user credentialassociated with the user for the application with the credential thatresulted in the successful logon.
 2. The method of claim 1, wherein theautomated logon chooser process is further configured to: display, atthe device, an interface that enables selection of a credential from theplurality of credentials; submit the selected credential to theapplication for logon; and detect whether authentication of the user issuccessful.
 3. The method of claim 2: wherein the execution of the oneor more computer-executable instructions further causes the device toobtain, from the computer system, a page template and match the pagetemplate to a page received from the application; and wherein submittingthe selected credential to the application for logon comprises injectingthe selected credential into one or more fields on the matched page andsubmitting the matched page with the selected credential to theapplication.
 4. The method of claim 1, wherein execution of the one ormore computer-executable instructions on the device causes the deviceto: for each credential the automated logon chooser process submits tothe application for logon: monitor a status of submitting the credentialto the application for logon; and detect whether authentication of theuser is successful using the credential.
 5. The method of claim 1,wherein the execution of the one or more computer-executableinstructions further causes the device to: identify a platformassociated with the device; and execute one or more operations at thedevice based on the identified platform.
 6. The method of claim 5,wherein the platform is determined based on a type of browserapplication, a type of operating system, a type of the device, or acombination thereof.
 7. The method of claim 1, further comprising:receiving, at the computer system, the first request from the device toaccess the application; sending, by the computer system, the firstrequest to the application; and receiving, at the computer system, theresponse from the application.
 8. The method of claim 1, wherein the oneor more computer-executable instructions are based on JavaScript code.9. A system comprising: one or more processors; and a memory accessibleto the one or more processors, the memory storing one or moreinstructions which, upon execution by the one or more processors, causesthe one or more processors to: based on a response received from anapplication, modify the response to include one or morecomputer-executable instructions, wherein the response is based on afirst request by a device to access the application; and send themodified response to the device; wherein execution of the one or morecomputer-executable instructions on the device causes the device to:obtain, from the system, a plurality of credentials associated with auser of the device; invoke an automated logon chooser process that,until a successful logon is detected, for each credential of theplurality of credentials, submits the credential to the application forlogon; and in response to detecting the successful logon to theapplication, send, to the system, a second request to update a usercredential associated with the user for the application with thecredential that resulted in the successful logon.
 10. The system ofclaim 9, wherein the automated logon chooser process is furtherconfigured to: display, at the device, an interface that enablesselection of a credential from the plurality of credentials; submit theselected credential to the application for logon; and detect whetherauthentication of the user is successful.
 11. The system of claim 10:wherein the execution of the one or more computer-executableinstructions further causes the device to obtain, from the system, apage template and match the page template to a page received from theapplication; and wherein submitting the selected credential to theapplication for logon comprises injecting the selected credential intoone or more fields on the matched page and submitting the matched pagewith the selected credential to the application.
 12. The system of claim9, wherein execution of the one or more computer-executable instructionson the device causes the device to: for each credential the automatedlogon chooser process submits to the application for logon: monitor astatus of submitting the credential to the application for logon; anddetect whether authentication of the user is successful using thecredential.
 13. The system of claim 9, wherein the execution of the oneor more computer-executable instructions further causes the device to:identify a platform associated with the device; and execute one or moreoperations at the device based on the identified platform.
 14. Thesystem of claim 13, wherein the platform is determined based on a typeof browser application, a type of operating system, a type of thedevice, or a combination thereof.
 15. The system of claim 9, furthercomprising: receiving the first request from the device to access theapplication; sending the first request to the application; and receivingthe response from the application.
 16. The system of claim 9, whereinthe one or more computer-executable instructions are based on JavaScriptcode.
 17. A method comprising: sending, by a device, to a computersystem, a first request to access an application; and based on the firstrequest, receiving, by the device, from the computer system, a responseincluding one or more computer-executable instructions; executing, bythe device, the one or more computer-executable instructions that areincluded in the response received from the computer system, whereinexecution of the one or more computer-executable instructions causes thedevice to: obtain, from the computer system, a plurality of credentialsassociated with a user of the device; invoke an automated logon chooserprocess that, until a successful logon is detected, for each credentialof the plurality of credentials, submits the credential to theapplication for logon; and in response to detecting the successful logonto the application, send, to the computer system, a second request toupdate a user credential associated with the user for the applicationwith the credential that resulted in the successful logon.
 18. Themethod of claim 17, wherein the automated logon chooser process isfurther configured to: display, at the device, an interface that enablesselection of a credential from the plurality of credentials; submit theselected credential to the application for logon; and detect whetherauthentication of the user is successful.
 19. The method of claim 18:wherein the execution of the one or more computer-executableinstructions further causes the device to obtain, from the computersystem, a page template and match the page template to a page receivedfrom the application; and wherein submitting the selected credential tothe application for logon comprises injecting the selected credentialinto one or more fields on the matched page and submitting the matchedpage with the selected credential to the application.
 20. The method ofclaim 17, wherein execution of the one or more computer-executableinstructions on the device causes the device to: for each credential theautomated logon chooser process submits to the application for logon:monitor a status of submitting the credential to the application forlogon; and detect whether authentication of the user is successful usingthe credential.